PM- 2059 Update Two factor webauthn dialog

[KiruthigaManivannan]

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [x] Other

Objective

Update Two factor webauthn dialog component to use the component library

Code changes

• two-factor-webauthn.component.html: Converted modal to dialog compoenents
• two-factor-webauthn.component.ts: Added dialog open method. Data passed to dialog is typed.
• two-factor-setup.component.ts: Added Web authn dialog logic and passing the result of two factor verify dialog in the switch statement of mange method call.

Screenshots

Two-step.login._Webauth_.Bitwarden.Web.vault.-.Google.Chrome.2024-05-02.13-42-28.mp4

[KiruthigaManivannan]

@rr-bw When I click the read key button , it is not opening the windows authentication using PIN like in QA vault. That may be due to that im running using local host. Because I get the following err ..

This error is due to the rp value in publicKeyCredentials passed to navigator. So I think this will work in qa vault

[codecov]

Codecov Report

Attention: Patch coverage is 13.63636% with 19 lines in your changes are missing coverage. Please review.

Project coverage is 28.15%. Comparing base (75975dd) to head (d5a6d60).

Files	Patch %	Lines
...app/auth/settings/two-factor-webauthn.component.ts	15.00%	16 Missing and 1 partial ⚠️
...rc/app/auth/settings/two-factor-setup.component.ts	0.00%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #9009   +/-   ##
=======================================
  Coverage   28.14%   28.15%           
=======================================
  Files        2372     2372           
  Lines       70074    70085   +11     
  Branches    13149    13150    +1     
=======================================
+ Hits        19722    19732   +10     
  Misses      48788    48788           
- Partials     1564     1565    +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

Checkmarx One – Scan Summary & Details – 0e1e7e98-26a6-43d1-b52d-8120f61dbbfe

Fixed Issues

Severity	Issue	Source File / Package
	Client_DOM_Code_Injection	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Code_Injection	/apps/browser/src/autofill/services/collect-autofill-content.service.ts: 1054
	Client_DOM_Stored_XSS	/apps/web/src/connectors/sso.ts: 33
	Client_DOM_XSS	/apps/browser/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/browser/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/desktop/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/desktop/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 21
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 19
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 15
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 347
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 315
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 347
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 315
	Angular_Improper_Type_Pipe_Usage	/apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html: 1
	Client_Privacy_Violation	/apps/browser/src/background/runtime.background.ts: 314
	Client_Privacy_Violation	/apps/web/src/app/tools/reports/pages/breach-report.component.html: 14
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 25
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 26
	Client_Privacy_Violation	/apps/desktop/src/auth/lock.component.html: 32
	Client_Privacy_Violation	/apps/web/src/app/auth/lock.component.html: 18
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
	Client_Privacy_Violation	/apps/web/src/connectors/webauthn-fallback.ts: 116
	Client_Privacy_Violation	/apps/desktop/src/auth/lock.component.html: 32
	Client_Privacy_Violation	/apps/web/src/app/auth/recover-two-factor.component.html: 37
	Client_Privacy_Violation	/apps/web/src/app/auth/lock.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 534
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 14
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 60
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 56
	Client_Privacy_Violation	/apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/app/tools/password-generator-history.component.html: 15
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/password-history.component.html: 12
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 50
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 14
	Client_Privacy_Violation	/apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/app/tools/password-generator-history.component.html: 15
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/password-history.component.html: 12
	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 707
	SSRF	/libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
	SSRF	/libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 75
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 80
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 18
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 18
	Client_DOM_Open_Redirect	/apps/browser/src/platform/popup/layout/popup-header.component.ts: 29
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/accessibility-cookie.component.html: 18
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 21
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 19
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 15
	Client_DOM_Open_Redirect	/apps/browser/src/tools/popup/generator/password-generator-history.component.ts: 18
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/account-switching/current-account.component.ts: 35
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/account-switching/account.component.ts: 24
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/vault/popup/components/vault/password-history.component.ts: 21
	Client_DOM_Open_Redirect	/apps/browser/src/billing/popup/settings/premium.component.ts: 27
	Client_DOM_Open_Redirect	/apps/browser/src/vault/popup/components/vault/attachments.component.ts: 32
	Client_DOM_Open_Redirect	/libs/common/src/auth/iframe-component.ts: 49
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/libs/common/src/auth/webauthn-iframe.ts: 25
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/libs/common/src/auth/webauthn-iframe.ts: 25
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_Hardcoded_Domain	/apps/web/src/app/billing/shared/payment.component.ts: 56
	Client_Hardcoded_Domain	/apps/web/src/app/billing/shared/payment.component.ts: 56
	Client_Hardcoded_Domain	/apps/web/src/connectors/captcha.ts: 57
	Client_JQuery_Deprecated_Symbols	/apps/cli/src/auth/commands/login.command.ts: 575
	Client_JQuery_Deprecated_Symbols	/libs/angular/src/auth/components/update-temp-password.component.ts: 132
	Client_JQuery_Deprecated_Symbols	/libs/angular/src/auth/components/change-password.component.ts: 91
	Client_JQuery_Deprecated_Symbols	/apps/cli/src/program.ts: 615
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/content/notification-bar.ts: 868
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/iframe-content/autofill-overlay-iframe.service.ts: 90
	Client_Use_Of_Iframe_Without_Sandbox	/apps/web/src/connectors/duo.ts: 8
	Client_Use_Of_Iframe_Without_Sandbox	/apps/web/src/connectors/duo.ts: 8
	Client_Weak_Cryptographic_Hash	/libs/common/src/platform/services/web-crypto-function.service.ts: 142
	Client_Weak_Cryptographic_Hash	/apps/desktop/src/proxy/ipc.ts: 24
	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 707
	Unprotected_Cookie	/apps/web/src/app/auth/two-factor.component.ts: 143
	Unprotected_Cookie	/apps/web/src/connectors/duo-redirect.ts: 57
	Unprotected_Cookie	/apps/web/src/connectors/duo-redirect.ts: 112
	Unprotected_Cookie	/apps/web/src/connectors/sso.ts: 33
	Unprotected_Cookie	/apps/web/src/app/auth/sso.component.ts: 137
	Unsafe_Use_Of_Target_blank	/apps/web/src/app/auth/settings/two-factor-recovery.component.ts: 25
	Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/cli/src/vault/create.command.ts: 68

[rr-bw]

When I click "Save" I get the following error, are you able to track this down? Everything works fine on main. Let me know if you need help debugging.

[KiruthigaManivannan]

When I click "Save" I get the following error, are you able to track this down? Everything works fine on main. Let me know if you need help debugging.

@rr-bw Actually the issue is when we give name in the name input field , it should read key. Since we already have issue in reading key in local host , webAuthnResponse is null. And actual workflow is if webAuthnResponse is null Save button should be disabled. It should not be enabled and user is unable to click. But here even if the webAuthnResponse is null save is getting enabled. Yes please help me in debugging.

[KiruthigaManivannan]

When I click "Save" I get the following error, are you able to track this down? Everything works fine on main. Let me know if you need help debugging.

@rr-bw Actually the issue is when we give name in the name input field , it should read key. Since we already have issue in reading key in local host , webAuthnResponse is null. And actual workflow is if webAuthnResponse is null Save button should be disabled. It should not be enabled and user is unable to click. But here even if the webAuthnResponse is null save is getting enabled. Yes please help me in debugging.

@rr-bw Please advise on the above

[rr-bw]

It won't let me comment on the specific line, but line 39 of the html file needs updated to tw-text-muted.

[rr-bw]

Should this be enabled: boolean?

[rr-bw]

TwoFactorProviderType.WebAuthn, not Authenticator.

[rr-bw]

Do will still need name? Where do we access this property?

[KiruthigaManivannan]

@rr-bw Yes this is used in setup component , to immediately send enabled status to set up component , the enabled tick mark should appear before we close the dialog . so we are using this event emitter.

[rr-bw]

Is private dialogRef: DialogRef injection needed? I don't see where we are reading it.

[rr-bw]

Could you remove the trailing single quote ' in the string?

[rr-bw]

Go with <span>s here instead of paragraphs. Our paragraphs add some extra margin on the bottom which spreads them out. The original spacing looks like this:

[rr-bw]

I think tw-flex-row is unnecessary because it is the default.

[rr-bw]

Typo: bitFormButton

[rr-bw]

I don't think we are using this #disableBtn templateRef anymore.

[rr-bw]

When I click "Save" I get the following error, are you able to track this down? Everything works fine on main. Let me know if you need help debugging.

@rr-bw Actually the issue is when we give name in the name input field , it should read key. Since we already have issue in reading key in local host , webAuthnResponse is null. And actual workflow is if webAuthnResponse is null Save button should be disabled. It should not be enabled and user is unable to click. But here even if the webAuthnResponse is null save is getting enabled. Yes please help me in debugging.

@jlf0dev or @JaredSnider-Bitwarden Would either of you have capacity to help in debugging this? I can't seem to track down the issue. The "save" button is somehow getting enabled when you simply start typing in the name field. It's supposed to remain disabled as long as webAuthnResponse is null. It's almost like form status changes are overriding our [disabled]="!webAuthnResponse" on the "save" button. One odd thing I noticed is that if I remove bitFormButton from the "save" button, it will in fact remain disabled until you Read Key. (But we still then have the problem where clicking "save" gives an error).